github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-09-30 03:34:29 +03:00
Code Issues Packages Projects Releases Wiki Activity

Forces downloads using https-only for resources or rules

Browse Source 
This commit makes ModSecurity to refuse to download or install rules
(SecRemoteRules) from sites that are not running HTTPS with a valid and
trusted certificate.
This commit is contained in:
Felipe Zimmerle
2014-11-13 12:52:00 -08:00
parent 59fc243503
commit b5398abaf2
5 changed files with 38 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
apache2/apache2_config.c
View File

@@ -2266,11 +2266,9 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
"Key and URI");
}
// FIXME: make it https only.
// if (strncasecmp(p1, "https", 5) != 0) {
if (strncasecmp(uri, "http", 4) != 0) {
if (strncasecmp(uri, "https", 5) != 0) {
return apr_psprintf(cmd->pool, "ModSecurity: Invalid URI:" \
" %s, expected an HTTPS address.", uri);
" '%s'. Expected HTTPS.", uri);
}
// FIXME: Should we handle more then one server at once?